10-11-2017, 03:49 AM
(This post was last modified: 10-11-2017, 06:09 AM by stuartiannaylor.)
(10-11-2017, 02:21 AM)Luke Wrote:(10-11-2017, 01:43 AM)stuartiannaylor Wrote: https://sourceforge.net/projects/rock64-...g/download
https://sourceforge.net/projects/rock64-wall/
Will be knocking up a simple firewall router image based on Ayufans xenial image.
Currently just a simple base with webmin / dnsmasq with iptables completely open with routing enable
Base uploaded next will be openvpn, snort
Finish off with dansuardian / squid.
May include samba4 and use kerberos will see how things go
This is really good. May I suggest that perhaps you put together a script instead of a dedicated image and push that to ayufan ? Kind of like how ayufan added the OMV script to his minimal.
Prob not a script as I fail totally with regexs, but yeah loaded up the image for those who just want to grab at various stages without having to bother.
With each image just going to document the cli commands used and a little bit of rationale & reason why.
Image first then go back to scratch and do it again a just document cli, which prob this aft will do.
I may use the full isc dhcp & bind9 but to be honest I have used them before and always been a little bemused as yeah I know what they can do above dnsmasq but frankly never have.
dnsmasq is just a great lightweight dns/dhcp that if someone can post good reasons I might also go down that route.
Will see what you guys say.
So far it been extremely simple, so not much to script, but thought maybe my fudges and poor attempts may be a gauntlet thrown to someone else
## CLI Commands from start
Starting with xenial-minimal-rock64-0.5.10-118-arm64 https://github.com/ayufan-rock64/linux-b...m64.img.xz
```
sudo -i
systemctl -l
```
Looking through the list of services we have 2 failures ureadahead & zram-config.
Also noticed network-manager in that list! Bye to him as well.
```
apt-get remove ureadahead
apt-get remove zram-config
apt-get remove network-manager
apt-get remove dnsmasq-base
```
Really not more than a little bit of housekeeping but yeah get rid of network manager for a server base.
So now to turn on IP4 forwarding and because I have over 1gb ram I am actually going to tell Ubuntu to prefer it a bit more.
```
nano /etc/sysctl.conf
```
change #net.ipv4.ip_forward=1 to net.ipv4.ip_forward=1 to enable
At the end tack on
# Improve cache management
vm.vfs_cache_pressure=50
I have also banged my 32Gb eMMC opened up gparted and created a 4Gb swap.
If you do add this line as it will prefer memory and is a good level with more fickle media such a SSD & flash.
vm.swappiness=10
So its up to you and either just delete the hash to enable net.ipv4.ip_forward=1 and ignore the rest if you so wish.
```
ip addr show
```
If you have plugged in a USB ethernet adapter you will see that it is down and highly likely to have an ethernet name from hell like mine which is enx00e04c534458!
So we are going to create a udev persistant rule to give us a much nicer name.
```
nano /etc/udev/rules.d/70-persistent-net.rules
```
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:e0:4c:53:44:58", KERNEL=="eth*", NAME="eth1"
From the ip addr show I returned
3: enx00e04c534458: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fas t state DOWN group default qlen 1000
link/ether 00:e0:4c:53:44:58 brd ff:ff:ff:ff:ff:ff
You can see where I copied and pasted the mac notation into the persistant rule and on next boot I will have eth1.
Same with multiple Nics if you are going to go crazy and maybe have a DMZ or even port trunking just increment NAME="ethx".
Again not essential but for me are much more logical when adminstering the system.
So before we install webmin a bit more housekeeping.
```
apt-get update
apt-get upgrade
apt autoremove
```
So webmin needs.
```
apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python
wget http://prdownloads.sourceforge.net/webad...50_all.deb
dpkg --install webmin_1.850_all.deb
rm webmin_1.850_all.deb
```
At this stage you could fire up webmin on the eth0 IP and configure from there but prefer cli to start with also dnsmasq module for webmin needs to be downloaded and installed and doesn't at all like remarks in the config file.
My router creates a private lan on 192.168.1.0 which will be the WAN subnet.
I have chosen 192.168.0.0 for my LAN subnet but...
"The private address segments (10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255, 192.168.0.0 - 192.168.255.255) are commonly referred to as "non-routable" addresses."
Any of those 10.0.0.0 is common but plenty to choose from, but it is important its a "non-routable" addresses." scope.
```
nano /etc/network/interfaces.d/eth1
```
Copy & paste or chose your own based on
auto eth1
iface eth1 inet static
address 192.168.0.1
network 192.168.0.0
netmask 255.255.255.0
broadcast 192.168.0.255
post-up iptables-restore < /etc/iptables.up.rules
Now dnsmasq
```
apt-get install dnsmasq
cp /etc/dnsmasq.conf /etc/dnsmasq.old
```
As we edit dnsmasq.conf delete all the remarks and we have a backup copy in dnsmasq.old for reference as the webmin module just doesn't like them.
```
nano /etc/dnsmasq.conf
```
Delete all the guff and start with something simple you can always refer back to dnsmasq.old for more complex setups.
domain-needed
bogus-priv
no-resolv
no-poll
server=192.168.1.1
server=8.8.8.8
interface=eth1
domain=rock.lan
dhcp-range=192.168.0.24,192.168.0.254,12h
Then we will set up a FQDN in /etc/hosts & /etc/hostname
```
nano /etc/hosts
```
so its looks something like
127.0.0.1 localhost
127.0.1.1 rock64.rock.lan rock64
192.168.0.1 rock64.rock.lan rock64
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
```
nano /etc/hostname
```
rock64.rock.lan
Obviously change to whatever registered or non registered domain name that fits your organisation.
Then set the iptables and NAT masquerade up the easy way.
```
apt-get install iptables
```
In a browser type in https://wan-assigned-router-addr:10000
Mine is https://192.168.1.20:10000 and log into webmin with the sudo user rock64
In networking -> linux firewall
Select Do network address translation on external interface in my case set to eth0
Enable firewall at boot and click setup firewall.
Now to get the dnsmasq module that is a bit old & creaky but after getting rid of all the remarks in dnsmasq.conf seems to work quite well and is good for refernce at least.
So google search for webmin dnsmasq
I downloaded from http://nixbit.com/software/dnsmasq-webmi...le-review/
Webmin -> Webmin Configuration -> Webmin modules.
Select From uploaded files and browse to the .wbm download
Click install module
System -> Bootup & Shutdown scroll down to the bottom and click Shutdown system & confirm click shutdown system
Swap your ethernet cables around so router is on eth0 (wan) and you switch/hub is on eth1 (lan)
Press the power on button on the rock64.
What you might have to do is force dhcp to get the new ip address (windows way).
```
ipconfig /release
ipconfig /renew
ipconfig /all
```
Should see us rocking on the rock.lan